Xoxoday
  • πŸ““User Resources
    • πŸ‘¨β€πŸ’ΌFor Admins
      • πŸ“ŒGetting Started
        • βš™οΈSettings
          • Manage Super Admin/Admins
            • Hierarchy vs Non-Hierarchy
            • Threshold
            • Delete an Admin
            • Redemption APIs
              • Generic Redemption APIs
              • Oauth 2.0 Implementation for Stores Redemption
          • Platform Preferences
          • Account Verification
        • Types of Companies
      • πŸš€Plum Launch Communication Kit
        • πŸŒ‰Pre-Launch Templates
        • 🀝Introduction to Plum Templates
        • πŸ“ΊHow to Sign up on Plum’s reward storefront Template
        • πŸ“‘How to Bookmark Plum’s reward storefront for easy access Template
        • πŸŽ‰How to Redeem the Rewards on Plum’s Reward Storefront?
      • Xoxo Points
        • πŸ“ŒGetting Started
        • 🚚Distribution of Xoxo-points
        • πŸ“©Email/SMS Customization
        • FAQs
      • Xoxo Codes
        • πŸ“ŒGetting Started
        • 🚚Distribution of Xoxo-codes
        • πŸ“©Email, SMS, and Xoxo Code Campaign Customization
        • FAQs
      • Points vs Codes
      • Xoxo Links
        • πŸ“ŒGetting Started
        • 🚚Distribution of Xoxo-links
        • FAQs
      • Domain Authentication Guide
        • Troubleshooting Domain Authentication
      • πŸ’°Add Funds
        • Base Currency
      • Campaigns
        • Getting Started
        • Editing a campaign?
        • Delete/disabling a Xoxo Campaign?
      • 🏬Reports
      • πŸ’³Prepaid Card User Guide
        • Virtual Paypal International
          • πŸ“ŒGetting Started
          • πŸ“­How to Redeem?
        • Virtual Visa Card
          • πŸ“ŒGetting Started
          • πŸ’³How to Redeem?
      • πŸ”Security and Compliance
        • Cryptography & Encryption
        • Email Whitelisting
        • Governance, Risk, & Data Compliance
        • Application,Dev & Security
        • Cloud Security
        • HR Compliance
        • Identity & Access Management
        • Solution Development
        • Security Operations
        • Training and Awareness
        • Vulnerability and Threat Management
        • Security Operations & Technical Capabilities and Support
        • Data Management
        • Policies & Procedures
        • Tax Compliance
        • Privacy Compliance
        • Cloud Security Alliance
        • Others
        • Documents
          • Data Security
          • Information Security
          • Admin/Business
          • Others
          • Finance Compliance
    • πŸ§‘β€πŸ€β€πŸ§‘For End-Users
      • πŸ“ŒGetting Started
      • πŸ§‘β€πŸ’»Signing up/Logging in
      • πŸͺ™How to redeem?
      • πŸ’³Gift Vouchers
      • 🎁Gift Box Queries
      • 🚚Delivery Related Issues
      • πŸ›‘Cancelation/Refunds
    • πŸ”—Pre-Built Integrations
      • Qualtrics Integration Guide
        • Using Qualtrics Workflow Extension to Send Rewards
        • Public Survey Rewarding
        • Anonymous Survey Rewarding
      • HubSpot + Plum
        • 1-1 Reward Widget in HubSpot
        • Workflow Based Reward Automation
        • 1-Many Link for Xoxolink’s Reward Automation
        • Email based Reward Automation
      • Darwinbox + Plum
      • SurveyMonkey + Plum
        • Public Survey Automation
        • Anonymous Survey Automation
      • Zapier + Plum
      • ActiveCampaign + Plum
        • Creating Automation
      • Salesforce + Plum
        • Getting Started with Xoxoday Plum
        • Getting Started and Setting up Salesforce Integration
        • Sending 1-1 Reward
        • Steps to create a Flow and add a Trigger
        • Redemption Journey for your Recipients
      • Typeform + Plum by Xoxoday
      • Zoho People + Plum
      • SAP Successfactors + Plum
        • SAP Client Registration with Xoxoday for Stores Redemption
      • Decipher - Forsta Integration
      • Zoho CRM
        • Send 1-1 rewards
        • Automation : Workflow Rules
      • Connect Plum to thousands of apps using Zapier
      • Other Integrations
    • πŸ›£οΈProduct Roadmap
      • 2022
      • 2021
  • πŸ‘¨β€πŸ’»Developer Resources
    • Rewards API
      • Getting started
      • API Endpoints
        • Authentication
          • Client ID, Secret ID, and Token Creation
          • Token Management
        • Catalog
          • GetVouchers API
          • GetFilters API
        • Orders
          • PlaceOrder API
          • GetOrderDetails API
          • GetOrderHistory API
        • Account Balance
          • GetBalance API
        • Postman Collection URL
      • Concepts
        • Staging Environment
        • Catalog
        • Error Handling
          • Standard HTTP status code summary
          • Errors related to API
        • Exchange Rates
      • Guides
        • Funding the Account
        • Reporting and Analytics
      • Webhooks
        • Test Webhooks
        • How to implement webhooks?
        • How to secure your webhooks?
      • Forex
      • Best Practices
      • Frequently Asked Questions
    • StoreFront Integration
      • Getting started
      • API Endpoints
        • Authorization
        • Token Creation & Token Management
        • SSO Redirection
        • End Points
      • Concepts
        • Points
      • Guides
        • Funding Account
        • Reports and Analytics
    • Xoxo Link API
    • Roadmap for 2021
  • πŸ“…Release Notes
    • Release April 2023
    • Release March 2023
    • Release February 2023
    • Release December 2022
    • Release October 2022
    • Release September 2022
    • Release July 2022
    • Release May 2022
    • Release March 2022
    • Release February 2022
    • Release December 2021
    • Release November 2021
    • Release October 2021
    • Release September 2021
    • Release July 2021
    • Release May 2021
    • Release March 2021
    • Release December 2020
    • Release October 2020
    • Release September 2020
    • Release August 2020
    • Release June 2020
    • Release May 2020
    • Release April 2020
    • Release March 2020
Powered by GitBook
On this page
  • Have you suffered any security breaches in the last 5 years?
  • Do you make security incident information available to all affected customers and providers periodically through electronic methods (e.g., portals)?
  • What data monitoring tools are available and is there support for using external monitoring tools?
  • Do you use content monitoring and filtering to detect inappropriate data flows ?
  • Are ingress and egress points, such as service areas and other points where unauthorized personnel may enter the premises, monitored, controlled and isolated from data storage and process?
  • What are the data backup and data archiving procedures? Is it secured?
  • Is there a provision for customer definable backup and Retention Periods of data?
  • Is the data stored in the database and is transit scrambled ?
  • Is the client data used for testing purposes ?
  • In the case of confirmed security incidents targeted at TCCC, do you provide immediate notification to KO-CIRT?
  • Do you provide tenants with documentation describing your Information Security Management Program (ISMP)?
  • Do you review your Information Security Management Program (ISMP) at least once a year?
  • Please provide your Information Security Policy and Privacy Policy.
  • Do you ensure your providers adhere to your information security and privacy policies?
  • Do you follow OWASP (Open Web Application Security Project) guidelines for application development?
  • Are all identified security, contractual, and regulatory requirements for customer access contractually addressed and remediated prior to granting customers access to data, assets, and information systems?
  • Is MFA (Multi-Factor Authentication) provided as an option?
  • Does the product's architecture support continuous operation during upgrades and maintenance windows?
  • Does your security information and event management (SIEM) system merge data sources (app logs, firewall logs, IDS logs, physical access logs, etc.) for granular analysis and alerting?
  • Do you have a documented security incident response plan?
  • Do you monitor and quantify the types, volumes, and impacts on all information security incidents?
  • Does your incident response plan comply with industry standards for legally admissible chain-of-custody management processes and controls?
  • Do you use file integrity (host) and network intrusion detection (IDS) tools for you SaaS solution to help facilitate timely detection, investigation by root cause analysis, and response to incidents?
  • Do you route entire outbound internet traffic through centralized proxy server?
  • Do you monitor cyber threats internally or have taken services from any third party?
  • Do you assess identified threat for applicability and exposure to your environment?
  • Do you update your cyber security program based on proactive or reactive threat intelligence feeds?
  • Does your threat feed rely on input from multiple sources?
  • Does your incident response plan comply with industry standards for legally admissible chain-of-custody management processes and controls?

Was this helpful?

  1. User Resources
  2. For Admins
  3. Security and Compliance

Security Operations

Have you suffered any security breaches in the last 5 years?

Our security systems are airtight and so far we haven't suffered any security breaches.

Do you make security incident information available to all affected customers and providers periodically through electronic methods (e.g., portals)?

Yes, we have a repository of security incident information if needed for all the affected customers. This information can be accessed electronically.

What data monitoring tools are available and is there support for using external monitoring tools?

We have an ELK setup in place to ensure data monitoring in the most optimal manner.

Do you use content monitoring and filtering to detect inappropriate data flows ?

No, content monitoring and filtration is not done to detect inappropriate data flows.

Are ingress and egress points, such as service areas and other points where unauthorized personnel may enter the premises, monitored, controlled and isolated from data storage and process?

Yes, only the authorized personnel are allowed in points of ingress and egress in order to isolate access of data storage and process.

What are the data backup and data archiving procedures? Is it secured?

Data backups are done daily and in a secured way in AWS

Is there a provision for customer definable backup and Retention Periods of data?

No, the backup and retention of data lies in the hands of Xoxoday. Data is stored in the event that a future need arises for looking into the database.

Is the data stored in the database and is transit scrambled ?

Yes, the data is stored in our secure database and is transit scrambled for maximum security.

Is the client data used for testing purposes ?

Our tenants' data is excruciatingly confidential and is never used for testing or staging purposes.

In the case of confirmed security incidents targeted at TCCC, do you provide immediate notification to KO-CIRT?

Yes, we promptly notify the KO-CIRT for immediate counter-actions and defense mechanisms in case of confirmed security incidents.

Do you provide tenants with documentation describing your Information Security Management Program (ISMP)?

Yes, please go through our "Information Security Management System Manual" for a complete understanding.

Do you review your Information Security Management Program (ISMP) at least once a year?

Our ISMP is annually reviewed and updated if required.

Please provide your Information Security Policy and Privacy Policy.

Please go through the links below to access our policies:

Information Security Policy Privacy Policy

Privacy Policy

Do you ensure your providers adhere to your information security and privacy policies?

Yes, it's crucial for our providers to adhere with the Information Security & Privacy Policy of the organization.

Do you follow OWASP (Open Web Application Security Project) guidelines for application development?

Yes, we follow all the technical guidelines for development of our code and applications that come under the Open Web Application Security Project.

Are all identified security, contractual, and regulatory requirements for customer access contractually addressed and remediated prior to granting customers access to data, assets, and information systems?

Yes, we remediate and address all requirements with respect to security, contracts, and regulative purposes for customer access to data and information systems.

Is MFA (Multi-Factor Authentication) provided as an option?

No, we don't provide multi-factor authentication. As of now, there's oAuth2.0 and SAML-based tokens. JSON-based token is available for maximum security direct-email logins.

Does the product's architecture support continuous operation during upgrades and maintenance windows?

Yes, Xoxoday's architecture goes through constant upliftment and experiences no downtime during upgrades and maintenance windows.

Does your security information and event management (SIEM) system merge data sources (app logs, firewall logs, IDS logs, physical access logs, etc.) for granular analysis and alerting?

Yes, our event management systems merge the data sources to maintain a log data within the SIEM. This helps in proper analysis and driving out alerts if need be in case of contingency.

Do you have a documented security incident response plan?

Yes, our documented security incident response plan logs, monitors, and collects relevant security event data for the purpose of investigation.

Do you monitor and quantify the types, volumes, and impacts on all information security incidents?

Yes, information security incidents, if any, shall be quantified in type, volume, and the impact of such incidents.

Does your incident response plan comply with industry standards for legally admissible chain-of-custody management processes and controls?

Yes, systems must be configured to log all successful and unsuccessful login attempts by accounts with privileged access. These authentication logs must be retained for a minimum of 180 days and in accordance with the Company’s records retention guidelines.

Do you use file integrity (host) and network intrusion detection (IDS) tools for you SaaS solution to help facilitate timely detection, investigation by root cause analysis, and response to incidents?

Yes, with host and network intrusion detection tools, we ensure timely detection and investigation in a prompt manner.

Do you route entire outbound internet traffic through centralized proxy server?

No, all of Xoxoday's servers are with Amazon Web Services, Singapore and that is where the outbound traffic is routed through.

Do you monitor cyber threats internally or have taken services from any third party?

Cyber threats, if any, are managed internally by the tech team.

Do you assess identified threat for applicability and exposure to your environment?

Yes we have a regular audit on threats for applicability and exposure to our environment.

Do you update your cyber security program based on proactive or reactive threat intelligence feeds?

Yes we update your cyber security program based on proactive or reactive threat intelligence feeds

Does your threat feed rely on input from multiple sources?

Xoxoday's holistic presence keeps our tech team updated with the latest news from multiple sources when it comes to any technological developments or threats.

Does your incident response plan comply with industry standards for legally admissible chain-of-custody management processes and controls?

Yes, physical segregation is done for production and non-production environments.

PreviousSolution DevelopmentNextTraining and Awareness

Last updated 3 years ago

Was this helpful?

πŸ““
πŸ‘¨β€πŸ’Ό
πŸ”